DNS managed zone DNSSEC key-signing keys should not use RSASHA1 Affecting Cloud DNS service in Google

Severity Framework Snyk CCSS

Rule category Network / Security

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Google CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00402
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

DNS managed zone DNSSEC key-signing keys should not use RSASHA1. Domain Name System Security Extensions (DNSSEC) algorithm numbers may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The key-signing key algorithm should be strong, and RSASHA1 is no longer considered secure. Use it only for compatibility reasons.

How to fix?

Where dnssec_config.default_key_specs.key_type is set to keySigning, set dnssec_config.default_key_specs.algorithm attribute to secure algorithm, such as rsasha512.

Example configuration

resource "google_dns_managed_zone" "allowed_3" {
  name        = "peering-zone-402a3"
  dns_name    = "dns.google."
  description = "Example private DNS Service Directory zone"

  dnssec_config {
    state = "on"
    default_key_specs {
      algorithm = "rsasha512"
      key_type = "keySigning"
      key_length = 2048
    }
    default_key_specs {
      algorithm = "rsasha512"
      key_type = "zoneSigning"
      key_length = 1024
    }
  }
}

Terraform

google_dns_managed_zone